Date: Tue, 31 Mar 2015 18:34:21 -0700
From: Chris Steipp <csteipp@...imedia.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: MediaWiki 1.24.2/1.23.9/1.19.24
Hi, we patched several security issues in MediaWiki today. Could we get
CVE's assigned?
* iSEC Partners discovered a way to circumvent the SVG MIME blacklist for
embedded resources (iSEC-WMF1214-11). This allowed an attacker to embed
JavaScript in the SVG. The issue was additionally identified by Mario
Heiderich / Cure53. MIME types are now whitelisted.
<https://phabricator.wikimedia.org/T85850>
* MediaWiki user Bawolff pointed out that the SVG filter to prevent
injecting JavaScript using animate elements was incorrect.
<https://phabricator.wikimedia.org/T86711>
* MediaWiki user Bawolff reported a stored XSS vulnerability due to the way
attributes were expanded in MediaWiki's Html class, in combination with
LanguageConverter substitutions.
<https://phabricator.wikimedia.org/T73394>
* Internal review discovered that MediaWiki's SVG filtering could be
bypassed with entity encoding under the Zend interpreter. This could be
used to inject JavaScript. This issue was also discovered by Mario Gomes /
Beyond Security.
<https://phabricator.wikimedia.org/T88310>
* iSEC Partners discovered a way to bypass the style filtering for SVG
files (iSEC-WMF1214-3) to load external resource. This could violate the
anonymity of users viewing the SVG.
<https://phabricator.wikimedia.org/T85349>
* Internal review and iSEC Partners discovered (iSEC-WMF1214-1) that
MediaWiki versions using PBKDF2 for password hashing (the default since
1.24) are vulnerable to DoS attacks using extremely long passwords.
<https://phabricator.wikimedia.org/T64685>
* Internal review found that MediaWiki is vulnerable to "Quadratic Blowup"
DoS attacks, under both HHVM and Zend PHP.
<https://phabricator.wikimedia.org/T71210>
* iSEC Partners reported that the MediaWiki feature allowing a user to
preview another user's custom JavaScript could be abused for privilege
escalation (iSEC-WMF1214-10). This feature has been removed.
<https://phabricator.wikimedia.org/T85855>
* Extension:Scribunto - MediaWiki user Jackmcbarn discovered that function
names were sanitized in Lua error backtraces, which could lead to XSS.
<https://phabricator.wikimedia.org/T85113>
* Extension:CheckUser - iSEC Partners discovered that the CheckUser
extension did not prevent CSRF attacks on the form allowing checkusers to
look up sensitive information about other users (iSEC-WMF1214-6). Since the
use of CheckUser is logged, the CSRF could be abused to defame a trusted
user or flood the logs with noise.
<https://phabricator.wikimedia.org/T85858>
These next issues came up because of the difference in how HHVM handles PHP
code vs Zend. I'm not sure if CVE's are assigned for specific runtime
configurations? For MediaWiki, we say that HHVM support is experimental,
although we do run Wikipedia on it.
* iSEC Partners discovered a XSS vulnerability in the way api errors were
reflected under HHVM versions before 3.6.1 (iSEC-WMF1214-8). MediaWiki now
detects and mitigates this issue on older versions of HHVM.
<https://phabricator.wikimedia.org/T85851>
* iSEC Partners discovered that MediaWiki's SVG and XMP parsing running
under HHVM was susceptible to "Billion Laughs" DoS attacks
(iSEC-WMF1214-13).
<https://phabricator.wikimedia.org/T85848>